1. Field of the Invention
The present invention relates to a cipher communication in the communication network.
2. Description of the Related Art
One example of a conventional cipher communication system is disclosed in "Installment and evaluation of the LAN cipher communication system", OFS-38(1994-3) p. 7-p. 12, published by the Institute of Electronics, Information and Communication Engineers. This system is configured by a communication terminal and a key managing workstation, which include ciphertext communication boards and are connected to the Local Area Network ("LAN", hereinafter).
The above conventional cipher communication system is shown in FIG. 38.
Communication terminals 210 and 220 are connected to the LAN 10 through encryptors 410 and 420. 30 denotes a key manager.
The communication terminals respectively include applications 2110 and 2210, communication controlling units 2120 and 2220, and cipher communication controlling units 2130 and 2230. The key manager 30 includes a session key generating unit 310, a session key managing unit 320, a session key encrypting unit 340, a session key sending unit 350 and a session key enquiry receiving unit 360. The encryptors 410 and 420 respectively include session key decrypting units 4110 and 4210, user data encrypting/decrypting units 4130 and 4230, user data sending/receiving units 4140 and 4240, and session key enquiring units 4160 and 4260.
FIG. 39 shows a configuration of the session key enquiring unit 4160 in detail. The session key enquiring unit 4160 includes a session key memorizing unit 4161, a session key enquiry sending unit 4162, and a session key receiving unit 4163. The session key enquiring unit 4260 has the same configuration as the above session key enquiring unit 4160.
Data communication procedure will be explained in the following in the above conventional cipher communication system.
Both encryptors connected to the communication terminals have the common session key to encrypt/decrypt data for the cipher communication between two terminals. To have the common session keys in the encryptors, a procedure called "key distribution" is executed.
The cipher communication requires a key distribution procedure and a user data sending/receiving procedure. Conventionally, every sending/receiving procedure of user data has to follow the key distribution procedure in the cipher communication with an arbitrary partner.
In the following, the key distribution procedure is explained when the application 2110 of the communication terminal 210 communicates with the application 2210 of the communication terminal 220 connected through the LAN 10.
It is assumed that an address of the communication terminal 210, which sends data first, is "A" and the communication terminal 220 has an address "B".
FIG. 40 is a sequence chart showing a procedure of distributing the session key in the conventional cipher communication system.
When the application 2110 of the communication terminal 210 starts to communicate with the application 2210 of the communication terminal 220 connected through the LAN 10, the application 2110 activates the communication controlling unit 2120. The application 2110 sends information of the address "B" of the communication terminal 220 to the communication controlling unit 2120 as an address of the communicating partner.
The communication controlling unit 2120 stores the address "B" of the communication terminal 220 in storage (this is not shown in the figure) and sends information of the address "B" of the communication terminal 220 to the cipher communication controlling unit 2130.
The cipher communication controlling unit 2130 sends a requesting command of starting communication including the information of the address "B" to the encryptor 410. The requesting command of starting communication is sent to the session key enquiry sending unit 4162 of the session key enquiring unit 4160 of the encryptor 410.
The session key enquiry sending unit 4162 gets the information of the address "B" included in the above requesting command of starting communication. The session key enquiry sending unit 4162 generates a key distribution requesting command "KEYREQ" including the address "B" and sends the key distribution requesting command "KEYREQ" to the key manager 30 through the LAN 10 (see S13 in FIG. 40). The session key memorizing unit 4161 receives the information of the address "B" from the session key enquiry sending unit 4162 and memorizes the information of the address "B".
The key distribution requesting command "KEYREQ" received by the key manager 30 is sent to the session key enquiry receiving unit 360. The session key enquiry receiving unit 360 gets the address "A" of the instructing partner of the key distribution requesting command. The address "A" is defined as an address of a key distribution requesting partner. The session key enquiry receiving unit 360 also gets the address "B" from the information included in the key distribution requesting command "KEYREQ". The address "B" is defined as an address of a communicating partner and is sent to the session key managing unit 320.
The session key managing unit 320 stores a pair of the address "A" of the key distribution requesting partner and the address "B" of the communicating partner in the storage (not shown in the figure). The session key managing unit 320 also activates the session key generating unit 310.
When activated by the session key managing unit 320, the session key generating unit 310 generates a random number. This random number is sent to the session key managing unit 320 as a session key.
The session key managing unit 320 stores a pair of the above session key and the pair of the address "A" and the address "B" in the storage. The session key managing unit 320 also sends the session key to the session key encrypting unit 340.
The session key encrypting unit 340 encrypts the session key by a master key (key encryption key) and sends the encrypted result to the session key managing unit 320 as an encryption session key.
The session key managing unit 320 sends the encryption session key and the pair of the address "A", the address of the key distribution requesting partner, and the address "B", the address of the communicating partner, stored in the storage, to the session key sending unit 350.
The session key sending unit 350 generates a session key distributing command "KEYDIST" including the encryption session key and the address "B" of the communicating partner and sends "KEYDIST" to the encryptor 410 connected to the communication terminal 210 located in the address "A" of the key distribution requesting partner (see S14).
The session key distributing command "KEYDIST" received from the encryptor 410 is sent to the session key receiving unit 4163 of the session key enquiring unit 4160.
The session key receiving unit 4163 gets the encryption session key and the address "B" of the communicating partner from the session key distributing command "KEYDIST". The session key receiving unit 4163 stores the address "B" in the storage and sends the encryption session key to the session key decrypting unit 4110.
The session key decrypting unit 4110 decrypts the encryption session key by the preset master key. The decrypted result is sent to the session key receiving unit 4163 as the session key.
The session key receiving unit 4163 sends the session key to the session key memorizing unit 4161. The session key receiving unit 4163 also sends a session key acknowledging command "KEYDIST-ACK" to the key manager 30 (see S15). The session key memorizing unit 4161 memorizes the information of the address "B" of the communicating partner stored in the storage and the session key as a pair.
The session key acknowledging command "KEYDIST-ACK" received by the key manager 30 is sent to the session key sending unit 350. The address "A" the address of the command sending partner, is obtained from the command and stored in the storage as the address of the key distribution requesting partner. The address "A" is also sent to the session key managing unit 320.
The session key managing unit 320 checks the address of the key distribution requesting partner with the address of the key distribution requesting partner previously stored in the storage. Based on the above check result, a pair of information, that is, the address "B" of the communicating partner and the session key, corresponding to the address of the key distribution requesting partner, is selected. The address "B" is stored in the storage and the session key is also sent to the session key encrypting unit 340.
The session key encrypting unit 340 encrypts the session key by the preset master key and the encrypted result is sent to the session key managing unit 320 as the encryption session key.
The session key managing unit 320 sends a pair of information of the encryption session key and the address "B" of the communicating partner stored in the storage to the session key sending unit 350. The session key sending unit 350 generates the session key distributing command "KEYDIST" including the encryption session key and the address "A" of the key distribution requesting partner stored in the storage. The "KEYDIST" is sent to the encryptor 420 connected to the communication terminal located in the address "B" of the communicating partner (see S16).
The encryptor 420 executes the same operation as the above encryptor 410. The encryptor 420 generates and sends the session key acknowledging command "KEYDIST-ACK" to the key manager 30 (see S17).
The "KEYDIST-ACK" received by the key manager 30 is sent to the session key sending unit 350. The address "B" of command sending partner is got from the command and stored in the storage as the address of the communicating partner. The address "B" is also sent to the session key managing unit 320.
The session key managing unit 320 checks the above address of the communicating partner with the address of the communicating partner previously stored in the storage. Based on the above check result, the address "A" of the key distribution requesting partner, stored as a pair with the above matched address of the communicating partner, is selected and sent to the session key sending unit 350.
The session key sending unit 350 generates a communication starting command "START" including the address "B" of the communicating partner stored in the storage. This communication starting command "START" is sent to the encryptor 410 connected to the communication terminal located in the address "A" of the key distribution requesting partner (see S18).
The communication starting command "START" received by the encryptor 410 is sent to the user data sending/receiving unit 4140. The user data sending/receiving unit 4140 gets information of the address "B" of the communicating partner from the communication starting command "START" and stored in the storage. The user data sending/receiving unit 4140 also sends a key distribution recognizing command to the communication terminal 210.
The key distribution recognizing command is sent to the cipher communication controlling unit 2130 of the communication terminal 210. The cipher communication controlling unit 2130 gets information of the address "B" of the communicating partner included in the key distribution recognizing command. A pair of the obtained address as the address of the communicating partner and information showing "ON" of a communication starting flag is stored in the storage. A communication starting notice including the address of the communicating partner is sent to the communication controlling unit 2120.
The keys are distributed as described above and the encryptors 410 and 420 have the common session keys.
In the following, sending procedure of the user data will be explained in detail when the application 2110 of the communication terminal 210 communicates with the application 2210 of the communication terminal 220 connected through the LAN 10.
The application 2110 of the communication terminal 210 sends a pair of user data and the address "B" of the communication terminal 220 to the communication controlling unit 2120. The communication controlling unit 2120 sends the pair of user data and the address "B" of the communication terminal 220 to the encryptor 410.
The pair of the user data and the address "B" of the communication terminal 220 is sent to the user data sending/receiving unit 4140. The user data sending/receiving unit 4140 sends the pair of user data and the address "B" of the communication terminal 220 to the user data encrypting/decrypting unit 4130.
The user data encrypting/decrypting unit 4130 checks the address "B" of the communication terminal 220 with the address stored in the storage as a pair of the address and the session key. The user data encrypting/decrypting unit 4130 encrypts the user data using the session key stored as a pair with the address "B" of the communicating partner. A pair of the encrypted user data and the address of the communicating partner is sent to the user data sending/receiving unit 4140.
The user data sending/receiving unit 4140 generates a user data sending command including the encrypted user data from the pair of the encrypted user data and the address "B" of the communicating partner and sends the user data sending command to the encryptor 420.
The user data sending command received by the encryptor 420 is sent to the user data sending/receiving unit 4240. The user data sending/receiving unit 4240 gets information of the encrypted user data and the address "A" of the communicating partner included in the user data sending command. The user data sending/receiving unit 4240 sends a pair of the encrypted user data and the address "A" to the user data encrypting/decrypting unit 4230.
The user data encrypting/decrypting unit 4230 checks the address "A" of the communicating partner with the address of the pair of the address and the session key stored in the storage. The user data encrypting/decrypting unit 4230 decrypts the encrypted user data using the paired session key stored with the address "A". A pair of the decrypted result of user data and the address of the communicating partner is sent to the user data sending/receiving unit 4240.
The user data sending/receiving unit 4240 sends the pair of the user data and the address to the communication terminal 220. The pair of the user data and the address received by the communication terminal 220 is further sent to the communication controlling unit 2220. The communication controlling unit 2220 sends the pair of the user data and the address to the application 2210.
In the conventional cipher communication system, every sending/receiving of user data should be preceded by the key distribution on communicating with an arbitrary partner as described above. The information of the encryption key should be registered for each communicating partner. An extra unit of the cipher communication controlling unit should be included in the communication terminal to utilize the cipher.
As another example of conventional cipher communication system, "Common operation key setting device for an encryptor" for a plurality of domains of data communication network is disclosed in the Japanese unexamined patent publication No. SH054-93937, (corresponding U.S. patent application: U.S. Ser. No. 857,531 filed on Dec. 5, 1977, issued Oct. 7, 1980 as U.S. Pat. No. 4,227,253).
In the conventional cipher communication system, the communication terminal has to request the session key from the key manager for each communicating partner. The session key is distributed to the communication terminal from the key manager prior to starting the communication. In the conventional cipher communication system, it has not been considered a case that a plurality of communication terminals located in the same location are bound as a group.
Another problem is that the communication terminals connected to the encryptors cannot send/receive plaintext (unencrypted text) such as electronic mail, etc.
Another problem is that it is impossible to choose the communication mode between plaintext and ciphertext depending on the communication terminal, application or communicating direction. It is also impossible to encrypt data using an arbitrary key selected from a plurality of keys.
Another problem is that data cannot be encrypted under various condition being different for each communication terminal, when a plurality of communication terminals are connected to one encryptor.
In Japanese unexamined patent publication No. SH054-93937, a common encryption key can be set for encrypting data among plural domains, however, it is not disclosed a case that the cipher communication can be performed using the common encryption key in a plurality of overlapped groups.